You are missing the fact, that Microwave Ovens despite being 1000 Watts still use Electromagnetic energy with an 0.00001 eV photon.
Cooking an egg is a massive chemical change over a large volume. A change 1/1000th that in magnitude to the human body could still be significant.
Not every molecule in the humam body is a carbon atom.
And the energy emitted doesn't necessarily need to be high enough power to alter a bond.
If the photons emitted can be absorbed by other nucleii and cause emission of a higher-energy photon, then a chemical change can occur.
The human body is also not in equillibrium, as there are already chemical processes occuring, and some of these may be sensitive to change in temperature, or uneven sudden heating, even if it's just a couple degrees change in temperature after an hour on the phone.
Could it be that some of them are secretly funded by organizations of luddites?
It's easy to see how studies funded by wireless technology companies / wireless technology manufacturers could be biased.
But have the funding sources of these "independent" studies been investigated, to ensure their backers don't have an anti-RF, anti-Wireless, or anti-Cellphone agenda?
There are a lot of companies' who lose or are slated to lose business as wireless technologies become ubiquitous and replace wired technology.
Also, there are many non-profits and government interests who would probably like to have cell phones banned.
Or at least require cell providers to give them a 'global off switch' to assist with crowd control.
Moreover, there might be technology companies that want cell phones banned so they can make billions selling a "non-harmful wireless" technology
Also, being able to be the study to show wireless is harmful, would make the people behind the study world-known, they'd get fame notoriety, and cash, as a result of the popularity of their work. E.g. it would be profitable, in the form of lots of media attention, fame in peer-reviewed journals, and a great resume entry for the people heading up the study.
Assessments like number of studies independent VS number of studies industry funded are worthless, unless evidence can be shown that the independent studies were really funded and done by neutral parties who have zero commercial or personal interest in biasing the outcome.
I'll agree that the electromagnetic absorpotion due to a single photon is small.
But a cell phone release more than 1 photon, and the total energy and absorpotion of the electromagnetic wave is much larger than one photon.
And might be sufficient to cause heating of tissue and other effects given a sufficient period of direct exposure to a sufficiently strong cell signal.
For some reason Firefox randomly decides to not type one of the words I typed while the glowing annoying pin-wheel is displaying, and the cursor hasn't caught up yet
Some safety may be built into the standard, but it's done that way for a reason.
They need to take action to fix this, and not ignore it on bogus reasoning like safety is built-in to the number.
I would equate this to having a hard drive in your 30,000 transactions per second, multi-million dollar database system, and deciding not to do anything right now.
Because your RAID10 array has ample safety built into it, and you don't have a catstrophe yet. *Yawn* we can just ignore the problem.
Scanners exist because people want scanners, and so people can sell a product labelled "security scanner".
And get a feel-good (false) sense that everything is secure when the scanner reports no issues.
This idea started with the general idea of vulnerability scanner, tools designed to scan hosts for open ports, check software versions, and try exploits against known issues.
The problem with all of them is they can only detect anticipated vulnerabilities.
Unknown vulnerabilities are not properly detected by scanner, because they cannot be anticipated by software.
Much like Antivirus, they need pattern updates and a re-scan when new issues are discovered.
Sometimes they don't get updated at all -- sometimes new vulnerabilities are discovered, but a test doesn't get created for the scanner.
Sometimes hackers become aware of security vulnerabilities that the maker of the scanner doesn't become aware of.
Sometimes the hacker can analyze the app you are running (which is industry-specific, not common),
and tailor an attack against you, that the scanner vendor could never anticipate.
So are scanners worth something? Sure.
But usually not nearly as much as the software vendor bills for them -- they are more fallible than even virus scanners (at least viruses, and malware are finite in number, even if a very large number --- there are more potential security vulnerabilities than one could possibly imagine).
This is like giving the telephone a nobel peace prize.
The prize should not be awarded to the medium, but to actual people....
The internet is not a person, as a result, they can never show up to claim their prize.
I would support giving a Nobel prize to Jon Postel, (but unfortunately he's dead and therefore inelligible), Tim Berners lee, and others, such as Linus Torvalds, Mark Zuckerburg, or shudder Bill Gates.
Before the internet can get a nobel peace prize, computers, and their operating systems should, since they are a pre-requisite and even more crucial to bringing peace:)
There's nothing wrong with some people still using DOS apps, but there aren't that many of them.
They should have to install/enable the feature manually for the program as admin before they can run the DOS app.
For the same reason UUcp or NNTP is not shipped with BSD/Linux anymore, despite some people still using it.
It is a security risk to have unmaintained software or infrequently used functions available or running by default.
Since hardly anyone uses UseNet or NNTP anymore, having a NNTP service running or a setuid newsreader installed by default, would be a needless risk.
There should be no middle ground for any part of the system: either it gets blocked or disabled by default, or it gets full scrutiny during security audits.
Then, they would be one of the few windows users who would need the feature manually enabled by the admin for that one program.
But it doesn't need to be enabled in general so that arbitrary programs can easily be run in
16-bit mode just by downloading them and double-clicking a.EXE or.PIF.
Yes... the only question is... Why didn't Microsoft disable running DOS apps by default?
Since hardly anyone does it, and the facility is only provided for backwards compatibility, it ought to require explicit manual admin action to enable.
Given the security risk exposure of having such a rarely-used feature exposed as part of the potential attack surface.
So what does screen actually do to protect the programs inside? I mean with the privileges to attach the screen and not knowing the pw, you usually also have the privileges to debug the bastard and skip the pw check altogether.
The screen binary is supposed to be setGID.
Normally setGID tty or setUID root.
Once the binary is launched with setGID privileges, it is not possible to attach a debugger to it, unless you are root.
Of course, root can do anything, unless you have taken special precautions, such as a restrictive SELinux MAC policy, set the capabilities bounding set, or increased the system's securelevel, to remove privileges from the root user.
If it was just the corporations, then the other people would start making more sales when they tried to impose their will.
Individual authors, e.g. self-publishing eBook authors would probably want to charge the higher prices too.
The thing is... the fewer books you sell, the higher your average costs per book.
You sell 1 million books... thanks to bookstores, and major retailers pushing your product, the price you need to charge to make a certain profit is much less.
If you self-publish and you sell 1000 copies through word of mouth online print-on-demand, your costs per book (avg) are much higher, and you have to have charged a higher price to break even.
Oh yeah, and you can't predict how many copies of a certain title will sell in advance.
You can only guess and price your risk in.
In theory, you should charge less if you forecast a larger number of sales, because your bulk printing costs are less per book.
Publishers don't work that way though.... quite the opposite.. they'll charge more for books from popular authors they anticipate making more sales of.
The more popular they anticipate the title to be, the more copies the print, and the higher price they charge per book.
The more relatively unknown authors, get fewer books printed, lower prices
Anyways, i'm sure this is more profitable -- more cash for the shareholders, even though it involves screwing the consumer.
Pure greed.
Hence the reason $9.99 "Isn't enough" for a general-audiences eBook from a major publisher.
*Note: I can certainly understand technical non-fiction eBooks such as programming language books with small audiences being more expensive--
extensive research and expensive expertise required to author, limited audience.
.... But.. if it didn't carry a price tag, who would want to buy it, and how could there be any profit in selling it?
Murdoch's profits, the sustainability of his investments, and perhaps the very survival of his companies as they exist currently hinge on there being a price-tag.
In other words, if you use RDP, and have not gone to substantial lengths to secure against MiTM attack, then if you yourself use RDP, it will be much less secure than the typical SSH setup (where each server has its own host key, and the client has memorized or been populated with the correct ones).
Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?
XP Users don't have access to protected mode, it relies on features present in Vista's security model.
Mandatory Integrity Control (MIC), a model in which data can be configured to prevent lower-integrity applications from accessing it. The primary integrity levels are Low, Medium, High, and System. Processes are assigned an integrity level in their access token. Securable objects such as files and registry keys have a new mandatory access control entry (ACE) in the System Access Control List (ACL).
* I'm not sure why Microsoft calls their use of MAC with integrity labels "MIC" instead... I guess it's because MAC is a NIH TLA.
User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.
The SAM database is in the registry, and the file is locked by the LSA during system operation, therefore not readable unless the system has been booted to a command prompt.
You would need an exploit that allows you to read the registry or gain access to files despite an exclusive lock, for that.
It's more like buy a Ford, get a Brand X GPS for free (included in the Ford).
The Brand X GPS keeps getting flaws discovered that allow random people with a handheld transmitter, to confuse the GPS into giving directions to their store instead of your intended destination.
Another brand, the "Brand F" GPS is 10x better, has expandability, and generally can't be confused that easily.
The "Brand F" GPS is also free, but is not included with your car, you have to navigate to the Brand F download site to get it, and then install it yourself.
Oh yeah... and generally, if you want to use the Brand F GPS, after a clean install you only have the brand X GPS, so you will need to use the brand X GPS to find your way to the "Brand F" GPS download site.
The Brand X GPS has plenty of opportunities during that trip to send you positive cues indicating the high quality of Brand X...
such as presenting you with 'security options' and wizards to walk through, by the time you are finished, you will have forgotten about "Brand F".
Moreover, your computer doesn't come with any instructions about "Brand F", you have to learn about it through separate sources.
Naturally... more people are aware of Ford's existence, than "Brand F".
So it could be a natural result that there are plenty of Ford users, and relatively few have swapped what they believe to be a "High quality Ford GPS" for some off-brand label like "Brand F".
Brand F might be superior, but we're specifically referring to people who are unaware of that fact, or who have insufficient experience to be convinced --- and insufficient trust to "try it" (fear it might break their computer), or lack of understanding of the procedure required to try it.
Installing software is too technical...
oh, besides, corporate policy: "Don't install software. (even major free/open source products)"
Addendum: embarrassed that I mentioned UltraVNC without also mentioning Timbuktu can be made to do this.
VNC normally displays a little icon in the taskbar, but a simple registry setting pushed via login script or group policy can hide it.
It can also be easily hidden in task manager/process viewer, through other methods, I won't mention, because they are easily abusable tricks I don't wish to encourage, not documented anywhere, and relatively unknown to most developers and to the community.
But also not hard to figure out: so, you don't need other people having access to your computer if you want anything close to a security guarantee, you must fully and properly administer and secure your workstations yourself (or have someone trusted due that, without lending access to a large population of admins via domain or central management).
The short of it is you need to be the only Administrator of your workstation, in order to really have a connection to the Unix servers that you can verify the security of.
You are most "secure" with a standalone workstation, having Windows Firewall enabled, no exceptions enabled, no domain membership, forceGuest set to on, and passwords required for all local access.
If your organization requires security of the servers, then ensuring no untrusted admin has the technical ability to screw with workstations is critical.
Just because a naive Windows admin doesn't have a simple way of shadowing your session, doesn't mean it is at all hard.
One group policy setting to deploy "compliance software" such as 3AMI/MAS Employee Monitoring Software, with keylogging enabled, and.. suddenly your SSH sessions and passwords aren't so secure...
Oh, that's just the legal route. Of course, "trojans" or some $5 keylogger can be deployed too, from a system management console, and configured via enforced registry settings.
If you have software installed by someone else, OR someone else has a valid login to your workstation, OR your computer is a member of a Windows domain, then someone else can run software on your computer, and they can also change the configuration to enable them to shadow your session.
And yes, most shrink-wrapped management software provide a way to do this.
Typically, the technology used is VNC, TightVNC, or UltraVNC.
There are also some commercial software (remote access) products that do this.
Most management software allow the running of arbitrary remote programs.
It is trivial to deploy registry settings and software via group policy or remote IPC access, from a domain computer.
Tools included with Windows Server and available through SYSINTERNALs allow this without buying any management suite.
But DameWare, Hyena SystemTools, Purgos, ScriptLogic, LANRev, ZENWorks, IBM Director, all provide point-and-click interfaces to do this sort of thing.
The management software itself may provide a simple "one-click link" to quietly shadow your session.
YOU ARE MISTAKEN!!! GOOD MORNING!
To you, Mr. Wannabe physicist.
Was that fun?
You are missing the fact, that Microwave Ovens despite being 1000 Watts still use Electromagnetic energy with an 0.00001 eV photon.
Cooking an egg is a massive chemical change over a large volume. A change 1/1000th that in magnitude to the human body could still be significant.
Not every molecule in the humam body is a carbon atom.
And the energy emitted doesn't necessarily need to be high enough power to alter a bond. If the photons emitted can be absorbed by other nucleii and cause emission of a higher-energy photon, then a chemical change can occur.
The human body is also not in equillibrium, as there are already chemical processes occuring, and some of these may be sensitive to change in temperature, or uneven sudden heating, even if it's just a couple degrees change in temperature after an hour on the phone.
News readers were typically setgid news.
INN typically had components that ran setgid news and setuid root, since only root can bind ports below 1024, NNTP runs on port 119.
Independent studies are funded by?
Could it be that some of them are secretly funded by organizations of luddites?
It's easy to see how studies funded by wireless technology companies / wireless technology manufacturers could be biased.
But have the funding sources of these "independent" studies been investigated, to ensure their backers don't have an anti-RF, anti-Wireless, or anti-Cellphone agenda?
There are a lot of companies' who lose or are slated to lose business as wireless technologies become ubiquitous and replace wired technology.
Also, there are many non-profits and government interests who would probably like to have cell phones banned.
Or at least require cell providers to give them a 'global off switch' to assist with crowd control.
Moreover, there might be technology companies that want cell phones banned so they can make billions selling a "non-harmful wireless" technology
Also, being able to be the study to show wireless is harmful, would make the people behind the study world-known, they'd get fame notoriety, and cash, as a result of the popularity of their work. E.g. it would be profitable, in the form of lots of media attention, fame in peer-reviewed journals, and a great resume entry for the people heading up the study.
Assessments like number of studies independent VS number of studies industry funded are worthless, unless evidence can be shown that the independent studies were really funded and done by neutral parties who have zero commercial or personal interest in biasing the outcome.
What about 1 million cell phone photons?
I'll agree that the electromagnetic absorpotion due to a single photon is small.
But a cell phone release more than 1 photon, and the total energy and absorpotion of the electromagnetic wave is much larger than one photon.
And might be sufficient to cause heating of tissue and other effects given a sufficient period of direct exposure to a sufficiently strong cell signal.
Err.. hard drive failure in your database system.
For some reason Firefox randomly decides to not type one of the words I typed while the glowing annoying pin-wheel is displaying, and the cursor hasn't caught up yet
Really annoying
RIGHT NOW
Some safety may be built into the standard, but it's done that way for a reason. They need to take action to fix this, and not ignore it on bogus reasoning like safety is built-in to the number.
I would equate this to having a hard drive in your 30,000 transactions per second, multi-million dollar database system, and deciding not to do anything right now.
Because your RAID10 array has ample safety built into it, and you don't have a catstrophe yet. *Yawn* we can just ignore the problem.
Scanners exist because people want scanners, and so people can sell a product labelled "security scanner". And get a feel-good (false) sense that everything is secure when the scanner reports no issues.
This idea started with the general idea of vulnerability scanner, tools designed to scan hosts for open ports, check software versions, and try exploits against known issues.
The problem with all of them is they can only detect anticipated vulnerabilities.
Unknown vulnerabilities are not properly detected by scanner, because they cannot be anticipated by software.
Much like Antivirus, they need pattern updates and a re-scan when new issues are discovered. Sometimes they don't get updated at all -- sometimes new vulnerabilities are discovered, but a test doesn't get created for the scanner.
Sometimes hackers become aware of security vulnerabilities that the maker of the scanner doesn't become aware of.
Sometimes the hacker can analyze the app you are running (which is industry-specific, not common), and tailor an attack against you, that the scanner vendor could never anticipate.
So are scanners worth something? Sure. But usually not nearly as much as the software vendor bills for them -- they are more fallible than even virus scanners (at least viruses, and malware are finite in number, even if a very large number --- there are more potential security vulnerabilities than one could possibly imagine).
For ObamaCare's Nobel Prize in 2011.
And MySpace's prize in 2012.
This is like giving the telephone a nobel peace prize.
The prize should not be awarded to the medium, but to actual people....
The internet is not a person, as a result, they can never show up to claim their prize.
I would support giving a Nobel prize to Jon Postel, (but unfortunately he's dead and therefore inelligible), Tim Berners lee, and others, such as Linus Torvalds, Mark Zuckerburg, or shudder Bill Gates.
Before the internet can get a nobel peace prize, computers, and their operating systems should, since they are a pre-requisite and even more crucial to bringing peace :)
There's nothing wrong with some people still using DOS apps, but there aren't that many of them.
They should have to install/enable the feature manually for the program as admin before they can run the DOS app.
For the same reason UUcp or NNTP is not shipped with BSD/Linux anymore, despite some people still using it.
It is a security risk to have unmaintained software or infrequently used functions available or running by default. Since hardly anyone uses UseNet or NNTP anymore, having a NNTP service running or a setuid newsreader installed by default, would be a needless risk.
There should be no middle ground for any part of the system: either it gets blocked or disabled by default, or it gets full scrutiny during security audits.
It only takes one vulnerability.
Then, they would be one of the few windows users who would need the feature manually enabled by the admin for that one program.
But it doesn't need to be enabled in general so that arbitrary programs can easily be run in 16-bit mode just by downloading them and double-clicking a .EXE or .PIF.
Yes... the only question is... Why didn't Microsoft disable running DOS apps by default?
Since hardly anyone does it, and the facility is only provided for backwards compatibility, it ought to require explicit manual admin action to enable.
Given the security risk exposure of having such a rarely-used feature exposed as part of the potential attack surface.
Because you can't control the timing or amount of energy transferred precisely, or where exactly it gets transferred to?
So what does screen actually do to protect the programs inside? I mean with the privileges to attach the screen and not knowing the pw, you usually also have the privileges to debug the bastard and skip the pw check altogether.
The screen binary is supposed to be setGID. Normally setGID tty or setUID root.
Once the binary is launched with setGID privileges, it is not possible to attach a debugger to it, unless you are root.
Of course, root can do anything, unless you have taken special precautions, such as a restrictive SELinux MAC policy, set the capabilities bounding set, or increased the system's securelevel, to remove privileges from the root user.
If it was just the corporations, then the other people would start making more sales when they tried to impose their will.
Individual authors, e.g. self-publishing eBook authors would probably want to charge the higher prices too.
The thing is... the fewer books you sell, the higher your average costs per book.
You sell 1 million books... thanks to bookstores, and major retailers pushing your product, the price you need to charge to make a certain profit is much less.
If you self-publish and you sell 1000 copies through word of mouth online print-on-demand, your costs per book (avg) are much higher, and you have to have charged a higher price to break even.
Oh yeah, and you can't predict how many copies of a certain title will sell in advance.
You can only guess and price your risk in.
In theory, you should charge less if you forecast a larger number of sales, because your bulk printing costs are less per book.
Publishers don't work that way though.... quite the opposite.. they'll charge more for books from popular authors they anticipate making more sales of.
The more popular they anticipate the title to be, the more copies the print, and the higher price they charge per book. The more relatively unknown authors, get fewer books printed, lower prices
Anyways, i'm sure this is more profitable -- more cash for the shareholders, even though it involves screwing the consumer. Pure greed.
Hence the reason $9.99 "Isn't enough" for a general-audiences eBook from a major publisher.
*Note: I can certainly understand technical non-fiction eBooks such as programming language books with small audiences being more expensive-- extensive research and expensive expertise required to author, limited audience.
.... But.. if it didn't carry a price tag, who would want to buy it, and how could there be any profit in selling it?
Murdoch's profits, the sustainability of his investments, and perhaps the very survival of his companies as they exist currently hinge on there being a price-tag.
They don't have to crack DHE in general, all they need to crack is diffie-hellman-group1-sha1.
Since a fixed DH group is used, this could be attacked through precomputing many values for the discrete logarithm.
If the key negotiation happens to fall into one of the precomputed values, then that session is in trouble.
Of course, the answer is yes.
Also, if you yourself use the Remote Desktop protocol, in some scenarios it is not as secure as SSH.
Remote Desktop connections are encrypted, of course, but there are two problems:
In other words, if you use RDP, and have not gone to substantial lengths to secure against MiTM attack, then if you yourself use RDP, it will be much less secure than the typical SSH setup (where each server has its own host key, and the client has memorized or been populated with the correct ones).
Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?
XP Users don't have access to protected mode, it relies on features present in Vista's security model.
* I'm not sure why Microsoft calls their use of MAC with integrity labels "MIC" instead... I guess it's because MAC is a NIH TLA.
Or Passwords.doc. A lot of folks don't know about notepad (or Notepad++/TextEdit/ScIte/Emacs) and just use MS word for everything.
The SAM database is in the registry, and the file is locked by the LSA during system operation, therefore not readable unless the system has been booted to a command prompt.
You would need an exploit that allows you to read the registry or gain access to files despite an exclusive lock, for that.
It's more like buy a Ford, get a Brand X GPS for free (included in the Ford). The Brand X GPS keeps getting flaws discovered that allow random people with a handheld transmitter, to confuse the GPS into giving directions to their store instead of your intended destination.
Another brand, the "Brand F" GPS is 10x better, has expandability, and generally can't be confused that easily.
The "Brand F" GPS is also free, but is not included with your car, you have to navigate to the Brand F download site to get it, and then install it yourself.
Oh yeah... and generally, if you want to use the Brand F GPS, after a clean install you only have the brand X GPS, so you will need to use the brand X GPS to find your way to the "Brand F" GPS download site.
The Brand X GPS has plenty of opportunities during that trip to send you positive cues indicating the high quality of Brand X... such as presenting you with 'security options' and wizards to walk through, by the time you are finished, you will have forgotten about "Brand F".
Moreover, your computer doesn't come with any instructions about "Brand F", you have to learn about it through separate sources.
Naturally... more people are aware of Ford's existence, than "Brand F". So it could be a natural result that there are plenty of Ford users, and relatively few have swapped what they believe to be a "High quality Ford GPS" for some off-brand label like "Brand F".
Brand F might be superior, but we're specifically referring to people who are unaware of that fact, or who have insufficient experience to be convinced --- and insufficient trust to "try it" (fear it might break their computer), or lack of understanding of the procedure required to try it.
Installing software is too technical... oh, besides, corporate policy: "Don't install software. (even major free/open source products)"
Addendum: embarrassed that I mentioned UltraVNC without also mentioning Timbuktu can be made to do this.
VNC normally displays a little icon in the taskbar, but a simple registry setting pushed via login script or group policy can hide it.
It can also be easily hidden in task manager/process viewer, through other methods, I won't mention, because they are easily abusable tricks I don't wish to encourage, not documented anywhere, and relatively unknown to most developers and to the community. But also not hard to figure out: so, you don't need other people having access to your computer if you want anything close to a security guarantee, you must fully and properly administer and secure your workstations yourself (or have someone trusted due that, without lending access to a large population of admins via domain or central management).
The short of it is you need to be the only Administrator of your workstation, in order to really have a connection to the Unix servers that you can verify the security of. You are most "secure" with a standalone workstation, having Windows Firewall enabled, no exceptions enabled, no domain membership, forceGuest set to on, and passwords required for all local access.
If your organization requires security of the servers, then ensuring no untrusted admin has the technical ability to screw with workstations is critical.
Just because a naive Windows admin doesn't have a simple way of shadowing your session, doesn't mean it is at all hard.
One group policy setting to deploy "compliance software" such as 3AMI/MAS Employee Monitoring Software, with keylogging enabled, and.. suddenly your SSH sessions and passwords aren't so secure... Oh, that's just the legal route. Of course, "trojans" or some $5 keylogger can be deployed too, from a system management console, and configured via enforced registry settings.
If you have software installed by someone else, OR someone else has a valid login to your workstation, OR your computer is a member of a Windows domain, then someone else can run software on your computer, and they can also change the configuration to enable them to shadow your session.
And yes, most shrink-wrapped management software provide a way to do this. Typically, the technology used is VNC, TightVNC, or UltraVNC.
There are also some commercial software (remote access) products that do this.
Most management software allow the running of arbitrary remote programs. It is trivial to deploy registry settings and software via group policy or remote IPC access, from a domain computer.
Tools included with Windows Server and available through SYSINTERNALs allow this without buying any management suite.
But DameWare, Hyena SystemTools, Purgos, ScriptLogic, LANRev, ZENWorks, IBM Director, all provide point-and-click interfaces to do this sort of thing.
The management software itself may provide a simple "one-click link" to quietly shadow your session.